from the more-experts-weigh-in dept

We've covered at great length the problems with DNS filtering in SOPA and PROTECT IP (PIPA) and how it will harm internet security. These concerns were first highlighted by a group of folks who are considered to be some of the foremost experts (and original architects) on DNS. The MPAA and other SOPA/PIPA startups have been trying for months to diminish these points, but have yet to find any kind of argument that makes sense. The argument they fall back on is "well, if this law breaks DNSSEC, just change the code and fix it." This represents a fundamental misunderstanding of the technoloy. That's not too surprising, coming from the MPAA, frankly. However, now, Sandia National Labs, which is a part of the Department of Energy, has sent a letter to Rep. Zoe Lofgren confirming most of the problems with the idea of DNS filtering, noting that it would make the internet less secure... and would do nothing to actually stop piracy.

It is not likely DNS filtering would be effective in blocking U.S. access to targeted foreign websites....

On the question of DNSSEC, the letter notes that slowing the adoption of DNSSEC would have significant "negative consequences" for US online security. While DNSSEC may not be fully rolled out yet, nearly everyone who understands this stuff knows that it's needed to fix key flaws in DNS. And while it takes time, simply breaking it and waiting for the next generation to rewrite it from scratch would be a mistake. Many years of careful work has gone into DNSSEC. Scrapping it for something else random is not going to help.

At this point, I don't see how any SOPA/PIPA supporters can still claim that the concerns over DNS blocking are unfounded. When you even have a major national lab saying that it's a bad idea, won't work and will be bad for online security... can the MPAA still respond with nothing more detailed than "we disagree" (which was the MPAA's actual statement at the hearing when challenged about the security problems associated with DNS blocking).

Reader Comments

Re:

I think you've misconstrued the issue with routers. The only way in which DNSSEC will affect most provider devices (including true layer 3 routers) is by increasing the size of DNS packets. For almost all devices that shouldn't be a problem. ISPs, then, shouldn't have to upgrade their infrastructure much beyond their nameservers.

Where DNSSEC could become a problem is the ALG in NAT gateways (including home routers), which is responsible for parsing DNS responses to determine which masked computer they're intended for. Poorly implemented ALGs may be confused by DNSSEC packets. I suppose it's also possible that some gateway devices include a caching DNS resolver or some sort of DNS proxy that would need to be updated, but I've personally never seen one. DNSSEC is not exactly a new protocol, however. Most reasonably new hardware should support it.

Turning on DNSSEC too early won't break the Internet. Legacy clients will simply continue to use regular, unsecured DNS. Rolling out DNSSEC won't do anything to change that. While it is true that clients configured to require validation will fail if the recursive resolver doesn't support it, that's a per-client setting and can easily be disabled.

All of that is largely irrelevant to the discussion of SOPA. Your post seems to be insinuating that DNSSEC is not ready and thus we have time to fix it. Unfortunately, SOPA doesn't just break some implementation detail of DNSSEC as the MPAA seems to think. It breaks the very idea of DNSSEC. It enshrines in law the idea that the recursive resolver must lie to the client, which is exactly what DNSSEC was designed to prevent.